Password Manager: Easily Store, Use and Protect All Your Passwords – from Hackers

Quite a lot has been said about using a password manager on the internet in general. Yet, it still remains a relatively under utilized solution by the larger section of internet users.

And when it comes to password security, the role of a password management solution cannot be overemphasized.

The solution to forgetting your passwords

People struggle with remembering all their passwords for different accounts, and also with keeping them safe – particularly when they want to use a password that is strong and cannot be easily cracked.

Hence they have to deal with a password reset to get back into their accounts all the time. And many times they may no longer have access to the mobile number or email address (again, due to forgotten passwords) to receive password reset instructions.

However, the solution to both of these problems of forgetting your passwords and keeping them safe lies in using a password manager.

In this study, I’ve got you covered on just about everything on password managers; what it is, why it’s important for you and any specific considerations to bear in mind when choosing one.

Let’s start off first by getting a clear definition of the topic at hand so that everyone can be on the same page.

What is a Password Manager

A password manager is a small piece of software that you can use to securely store ALL your passwords including other account credentials for various online accounts. It also helps you easily fill in those login details without the need of copying and pasting.

This piece of software is available as mobile applications which you can easily install on your smartphone, and on desktops, it exists either as standalone software or simple browser extensions. I personally prefer to use the browser extensions on desktops.

The password manager software encrypts all your passwords stored within its vault with a single password you will set called the master password.

So you have to know and remember ONLY the master password which then gives you secure access to all of your other passwords stored within.

Why Use a Password Manager

Now that you know what a password manager is, let’s move on to the reasons you should consider using one.

A password manager not only helps you manage passwords it also does other things that many times it does not get proper credit for.

A password manager helps you:

1. Forget about forgetting passwords

This is the #1 job of password managers, to help you organize your digital life so you’ll never forget a password again, or forget an account you have with a website or service.

It takes away the burden of remembering all of your passwords for the different online services you use, so you’ll never have to get into your account via a password reset.

I’m sure you can already begin to see the benefit this has.

2. Generate strong passwords

Password managers have built-in password generators that create long, complex, randomized passwords that are impossible for malicious hackers to crack/guess.

Through a cyberattack method known as password cracking an attacker could easily figure out what their victim’s password is.

Password security is a broad topic. We’ll discuss more on this in future posts.

Now this leads us well into the next point…

3.Defeat hackers

ACCESS is all that matters to cyber criminals after your money and/or data. And your creds (short for ‘credentials’, which essentially is your username and password) is what gives them that access.

Passwords holds the keys to your online kingdom!

A relatively inexpensive, yet super effective method cybercriminals would get your passwords online is through a technique called PHISHING(I have explained this below, keep reading).

But password managers provide some really good defenses against phishing attacks, making it another problem they solve! (Which I quite agree with Larry from ZDNet).

So how does a password manger achieve this? Let’s analyze it!

When you go to log in to your online banking or Facebook account you’ll type in, for example, www.facebook.com in your browser. And if you were not already logged in, you’ll be presented with a login screen to enter your credentials for that Facebook account.

If you use a password manager and you have saved your Facebook account then it would attempt to automatically fill in your credentials on that login screen and log you in. This is the correct way things should work.

But in the case where you are being phished, the attacker sends you to a phony login which looks like the real Facebook login.

The only way to know is if you can decipher the URL in the address bar of your browser.

You’ll find out that instead of the login to be coming from the original and correct www.facebook.com domain, it would coming from something fake like www.faceboook.com (notice the triple “O’s”) or any such variants.

Recently a more disturbingly clever approach attackers have adopted is using a subdomain of a bad website (one they control). In this case, you would have something like www.facebook.com.login-evilsite.ru be the website address.

“Evilsite.ru” is the website the attacker controls and “facebook.com.login” is the subdomain which could be anything e.g “instagram.com.myaccount”. (You get the idea).

And as long as the victim sees “facebook.com” at the beginning (at least for those who are savvy enough to check) they just put in their login details.

Whereas the attacker on the backend is waiting, ready with fingers crossed to harvest those credentials as soon as they drop.

(This is a study we’ll dive deeper into in another post along with video illustrations, so stay tuned!).

I have lost count of the number of Facebook accounts that I’ve seen reported stolen with this method since I came into the InfoSec industry.

Knowing whether you are about to log in at the correct website address (or domain) for your Facebook account or banking website or any other online account for that matter, is tricky! And many times experienced people who are cybersecurity aware fall flat for this, let alone a novice.

But the good news is your password manager can prevent you from this well and with ease if you can trust it.

How?

A password manager will NOT offer to fill in your credentials neither will it attempt to log you in automatically if the domain for which it has a credential stored does not match the domain on the URL of your browser’s address bar.

If the user still goes ahead to try to fill in the phony login with their creds, some password managers display a warning informing the user of a URL mismatch.

However, digital security education is still necessary for users not to fall for this kind of cyber attacks. As a business owner or company, the place of security education of your employees cannot be overemphasized because humans can override security measures put in place.

You will find out most users will go ahead to login disregarding the warnings or even worst, copy-paste the credentials in manually, if they are not taught what to do in cases like that.

4. Securely store credentials

Other than your login credentials, password managers are capable of storing other digital records for later use or safekeeping.

Think of it as an online wallet that keeps your digital records secure.

This is a lot of sensitive information here! But it can only be accessed by you and those you choose to share with.

And if you want to know how well password managers can secure this data, we’ll discuss this in the coming sections, keep reading!

5. Simplify your life online

A password manager removes the hassle of accounts credential security and frees you up to get back to the things you love to do online.

i. Simplify form fills: Filling personal information over and over on web forms is what I hate to do most when I’m working online.

Having to enter my name, email, gender, home address, and all that related re-curing info when I have to register for something online, or even log in, is a hassle for me personally. And I’m sure many of you who your work depends on being online hate this as well.

So what I do is just leave all that hard work for my password manager’s form fill feature. I enter the details once and boom! It fills it in correctly where I need it, every single time, with just one click.

And what’s more I can create as many profiles for different personas (e.g I have a demo persona I use for tutorials). I absolutely love this feature and you will too.

ii. Simplify online shopping: Checkout faster when you are ready to pay at an online store.

All you have to do is choose the profile which you have stored your payment details and have it securely and conveniently fill in your credit card details for you.

This is a handy feature if you do online shopping often and it’s a huge time saver.

I know some online stores or websites offer to save your credit card details, and those type of information so that checkout can be snappier and convenient too. But you put your personal data at risk, because they may not be storing it securely (enter the Equifax breach). Why not use your password manager which is safer.

iii. Simplify log in and access across different devices: Logging on to online accounts has never been easier and faster for me when using a password manager.

It’s fast to log in because the password manager has both a record of the website’s login URL and your login credentials. So it simultaneously performs the actions of visiting the website and logging you in.

What I do now whenever I want to get back into an online account is launch the website directly from within my password manager’s vault and give it a sec to do its thing.

This has just made life easier online. And coupled with the ease of being able to access all my saved password across different devices (more on this coming up).

Your Browsers Built-in Password Manager is a Security Risk

This is a feature you should disable on your browsers across devices particularly on your desktop browsers. It’s a big security risk!

And if you have been using the built-in password manager on your browser, then it’s time you made the switch to a software designed with security in mind to perform this task.

Just in case someone doesn’t quite follow.

Web browsers come with some kind of passwords management system that attempts to behave like password managers, but they cannot be compared with specialized software and apps built for that purpose.

If you have seen any of the notifications pictured in the screenshots below after you signed in to a website in your browser, then you know what we are talking about.

Chrome browser save password desktop-mobile screenshot grid

Why you should have it disabled

The supposed password manager that comes with your browser is only just a passwords saver and nothing more. Here are it’s main disadvantages.

Firstly, anyone with a malicious intent who can handle your device can easily locate the passwords safe in your browser and take a photo of the passwords screen with their smartphone, or simply just copy or memorize them.

Secondly, if your computer has been infected with malware, the attacker controlling the malware has the ability to query your browser to submit all its saved passwords, because the passwords safe has little to no protection on your computer.

Thirdly, with only a moment of unrestricted access to your home or work computer, a malicious hacker/coworker/neighbor could use a weaponized USB device to glean all that passwords from the passwords safe of your browser. All it takes is some code put on a special USB and plugged on your computer for at least 30 seconds or thereabout. And these devices are not hard to get. Scary right?

Whichever be the case, it’s certainly going to be a bad day for you!

The worst part about your passwords stolen this way is that you won’t even know and they may continue to be used against you for a very long time.

Especially when you don’t follow password security best practices like changing your passwords at least once every 6 months, and more frequently than that for critical account passwords.

2. Lacks features

It lacks ALL the features that would have qualified it to be a passwords manager such as the ability to generate passwords, fill forms automatically, notify you when one of your passwords have been compromised in a breach, or have any form of customer support service when you need help.

3. Lacks portability

Your built-in browser password saver is tied to one browser – the browser it lives on.

It cannot be synchronized between different browsers on the same device let alone browsers on different devices.

Overall, using a dedicated password manager gets you in the habit of working towards getting unique passwords for different sites and services.

And it is the correct way to go if you must use a password management system.

What is the Best Password Manager

We’ll examine them under two main categories – online vs. offline, along with their pros and cons, and find which type might be the best for you.

I’ll provide answers to some important re-curing questions bothering on using password managers after this section. If you find that you are tripping over new words we have not discussed yet perhaps you should read the answer to what makes a good password manager first.

Online Password Manager Vs. Offline Password Manager

Offline Password Managers

They are typically implemented as standalone desktop-based or mobile applications. That is they operate just like any other software on your computer or mobile app on your smartphone and tablets.

Some of the best offline password managers in this category that really standout includes:

KeePass

KeePass 2.x on desktop screenshot

Free to use and open source

Supported on Windows, Mac, Linux, BSD, Android, and iOS

AES 256-bit and Twofish Encryption method

KeePass is available in two different editions: 1.x and 2.x. They are fundamentally different (2.x is not based on 1.x). Both editions run on Windows operating systems; KeePass 2.x additionally runs on Mono (Linux, Mac OS X, BSD, etc.).

If you decide to use KeePass password manager, by all means, use the 2.x edition it’s better.

KeePass because of it’s open source nature has a long list of contributed/unofficial ports for Android and iOS. Two that are worthy of mention are MiniKeePass (for iPhone / iPad) and KeePass2Android (for Android). Derrik from maketecheasier has more to say on KeePass Android apps. See the full list below.

EnPass is an offline password manager offering you the peace of mind that all your data is with you only and nothing is stored on our servers.

EnPass has a beautiful user interface design that is consistent across all it’s apps which are simple and easy to use. The browser extensions offered depends on using the desktop application.

EnPass apps for mobile (iOS and Android) offered by EnPass themselves require an $11.99 one-time fee to upgrade to pro (per mobile device) to be able to store more than 20 items and create multiple vaults.

You should check out community reviews and research done on these password managers on articles written by the awesome folks at Slant and Freelancer.

Also be aware that nowadays, some of these offline password managers support combining local storage with cloud-based storage.

Advantages

1. Carries relatively lower risk. That’s because your data never leaves your machine where it is directly stored and encrypted.

2. Reliable and stable. Without an internet connection you can still get to your password vault and get work done.

Disadvantages

1. No syncing options. When you add accounts to the password manager vault it does not automatically become available on other machines or devices where you may need to use them.

2. Single point of failure. If your computer or mobile device gets damaged, lost or stolen, that could lead to loss of your password vault too.

3. Less likely to be recommended. The process of ensuring that the local password storage is safely backed up, or the workaround to manually integrate syncing across multiple devices might be too complex for non-technical users.

Simply put, you are still responsible for your passwords when using an offline password manager!

Online Password Managers

Your password database isfirst encrypted on your device locally before it is transmitted (in its encrypted form) to the online servers of your password manager provider for safekeeping and syncing purposes.

Decryption of the database is also done locally on your device after the encrypted database is retrieved from their online servers.

Some of the best online password managers in this category that standout includes:

LastPass

LastPass browser extension

Offers free version

Premium version for some extra features costs $2/month ($24/yr)

AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure complete security in the cloud

Automatic password changer (desktop extension only)

Supported on all desktops via browser extensions

Apps for Android, iOS, Smartwatch and Windows mobile

Apps support biometric login (fingerprint)

LastPass is the #1 preferred password manager for most security professionals and for good reason.

LastPass is essentially a browser extension on desktop. It works excellently within browsers. Its solidly supported on the major browsers (Chrome, Firefox, Safari, Opera and Edge) on Linux, Windows, and Mac.

It offers the major things for free in the free version which other password managers hide behind a paywall. And to be honest I don’t think you’ll miss the premuim version that much which is still the cheapest amongst its competitors.

LastPass apps for smartphones (iOS, Android and Windows Phone) are completely free to use. Also the apps support fingerprint login for easy vault access.

Dashlane packs a lot of useful features which makes it stand out amongst it’s competitors. Some of it’s newer features set a standard for what modern password managers should be.

Dashlane’s apps are slick with elegant user interfaces for almost every platform.

Dashlaneoffers security alert. If any of your accounts are involved in a breach, you get notified on your identity dashboard and on how to solve the issue. There is also Dark web monitoring which is a similar feature, and VPN protection when on an untrusted network like public WiFi but both of these are for premuim only users.

The Dashlane browser extension is available on Windows, Mac, Chromebook and Linux. It is officially compatible with Chrome, Firefox, Safari, Edge and Internet Explorer. It can also be installed in some other Chromium-based and Firefox-based browsers such as Opera, despite the fact that they are not officially supported.

Dashlane apps for smartphones (iOS and Android) are free to use (only on one device) with in-app purchases for Dashlane premium (for complete features) and Dashlane premium plus (only in the US).

Keeper doubles both as a secure password manager and a digital vault with its 1 terabyte (1TB) of secure digital storage.

Keeper’s new BreachWatch feature monitors the internet and dark web for breached accounts matching records stored within your Keeper Vault. BreachWatch alerts you so that you can take immediate action to protect yourself against hackers. Once activated, BreachWatch continuously monitors for compromised credentials.

Keeper apps for smartphones (iOS, Android, Windows Phone, and Blackberry) are free to use with in-app purchases for premuim versions. The apps have support for biometric login, fingerprint and facial recognition for a convenient and secure way to easily access your vault.

Advantages

Managing your password vault through these browser extensions is a lot easier and simpler.

You could do things like creating a strong unique password, updating an old/weak password, and add a new account. All WITHOUT LEAVING the browser or extension interface.

2. Access from anywhere. With an online password manager you do not have to carry carry the latest password file around just to work on a different machine/device.

Anywhere internet can be accessed, your passwords and data can be accessed.

You just add an account from whichever device you choose to work and have that password automatically become available on all other devices you need them instantaneously.

3. Highly recommendable for non-technical people. This is the category of password managers less tech-savvy people should be choosing from, where they don’t have to deal with managing the backup of their passwords database themselves.

Disadvantages

1. Your data is in the hands of your service provider. In the sad event that they go out of business, your data be lost.

Although I personally don’t see this as a real risk because with online password managers you can also have your passwords database locally stored where you can export them to an external hard drive or USB device for safekeeping.

2. Carries significant risk because data goes out to the internet.

This is, however, true for any system that lives on or is connected to the internet.

The only way to stay 100% secure online is to switch off and disconnect from the internet.

Now that we have seen the best password managers out there under the online and offline categories, it’s time to answer some frequently asked questions and call this a wrap.

Password Manager Frequently Asked Questions

I’ll keep adding answers to common questions people have regarding using password managers in this section so bookmark this page for future reference.

A. What Makes a Good Password Manager?

Just a while back, all it took for a password manager to be considered great was that it encrypted your passwords in a secure vault.

But nowadays with more and more password managers emerging, the competition is fierce. Many password managers have evolved to include more important and useful features to give us a smoother and safer experience online.

Here we will outline the essential features that makes modern password managers stand out as the best. And these are what you should look out in deciding which one to settle for.

1. Modern Security Architecture

A password manager with a strong cipher suite that uses the modern bulletproof AES 256-bit Encryption method that can withstand the latest security threats is what you are looking for.

2. Must Be Fully Cross-platform

You do not want a password manager that works on your Windows computer but does not have an app that works on your iPhone.

3. Syncing Options

We’ve said this a few times already, you want to be able to have your passwords and stored documents on whatever device you are currently using and at any time, seamlessly!

The offline password managers also have ways to sync across multiple devices but they are a bit of a cumbersome process.

4. Easy to use and intuitive

You do not want a password manager with a steep learning curve where you’ll have dive in to the documentation to know how to get basic things working. What you need is something with a simple to use, clean user interface that does not make ‘managing’ your password manager be part of your daily workflow.

5. IntegratedBreach Notification

Often times a website or online service you use might experience a data breach in which Email addresses, usernames and passwords become compromised.

Sometimes it’s the big names that are involved like in the LinkedIn breach and you may or may not get to know about it to change your passwords for that site.

When this happens, a good password manager should be able to notify it’s users of such a breach and mandate them to change their passwords immediately.

This is an essential feature you’ll agree that ALL password managers should incorporate.

Although, there are other ways in which you can monitor data breaches for yourself.

One way you can immediately check if your email account or password you are using right NOW has been compromised in a security breach is to use the haveibeenpwned website by renowned security researcher Troy Hunt.

You simply type in your email address or password and the website checks it against records from 6.4 billion previously breached accounts or 550+ million real world passwords previously exposed in data breaches. (If this statistic scares you, then its the more reason you should take what we are saying here seriously).

6. One-click Automatic Password Changer

Regularly updating old passwords is one of passwords best security practices.

Some password managers have the ability to directly log in to a site on your behalf and change your old password with an auto-generated, strong and unique one.

Although looking through a few of the password managers that currently have this feature you’ll quickly discover that not all websites are supported on this feature yet because of the non-uniformity of the web.

But overall it’s a feature that just makes life easier working with passwords and accounts security.

7. 2FA On Master Password

A good password manager should have the options to secure your master password with an extra layer of multi-factor authentication.

So that whenever your master password is used, you’ll get a code texted to your phone as a second factor of authentication (2FA).

B. Is it Safe to Use Password Management Applications?

With all the delicate information password managers keep, it’s perfectly fine for users to want to know how safe password management applications are.

The short answer is that good password managers are secure enough and definitely worth using.

What is even riskier is not using one at all or the alternatives to a password manager users commonly would go for which include:

Trying to commit over a dozen passwords to memory.

Re-using the same password everywhere.

Using weak, very easy to guess passwords.

Writing down passwords on stickers under their keyboard or pieces of paper.

Saving it on a passwords.txt text file, sticky notes or excel spreadsheets on their desktops.

Using the in-built browser password manager.

Malicious people around you or hackers on the internet know that users who have not yet embraced the use of password management apps and software will default to these alternatives and have crafty means of stealing those passwords.

Now this is not to say there are no risks at all involved in using password management systems.

Some of the risks you may face using password managers are:

First: It may be game over when you lose your master password!

The single biggest risk using a password manager is forgetting your master password.

Some password managers like Dashlane and LastPass have implemented a system where even they, can’t help you retrieve your master password if you forget it.

This means no employee of theirs can see your master password hence they can’t help you recover it.

So they strongly advise you to choose a passphrase that’s both strong and memorable.

Second: Some people have argued that using a password management system is putting all your online eggs in one basket.

Meaning a compromise of your master password would result in the compromise of all your other passwords stored.

Well, as true as this may be it’s a risk that can be mitigated or prevented against.

If you do your part by choosing a strong master password as we’ve said earlier then you can be rest assured that password management companies protect the communications between their customers and their servers with military-grade, end-to-end encryption.

This ensures no one can snoop on your master password or data in transmission back and forth the internet. It also makes the software and mobile apps really secure to use.

You may optionally add an extra layer of protection with a second factor of authentication (2FA).

So that even if someone were to manage to steal your master password (which is difficult enough) then they wouldn’t have the security code (second factor) to successfully authenticate to your password vault.

Lastly,others have said that using password management apps is trusting a company with too much of your sensitive data.

They also have said that these online password management companies run proprietary software and apps. Meaning they don’t reveal their code for security auditing or scrutiny, hence we cannot confirm if they are implementing security correctly.

Well, the same goes for the major corporations we have in the world today – Microsoft, Apple, Google, Facebook.

The code to their online products, services, software and operating systems that we have come to love, trust, and depend upon for business are all proprietary and closed source. And some password management software/applications are not any different.

The computer you use for work whether Microsoft’s Windows or Apple’s Macintosh; or the mobile devices, iPhone and Androidall run proprietary operating systems and software. We don’t get to see what goes on under the hood yet we trust using them.

Google Inc. and FacebookInc. are companies who work with big data and they collect far more data from us which probably are even more important than the data your password manager holds.

Also, many people depend on Google’s Gmail for their email, what happens when Google goes extinct?

Final Thoughts

In this study, we learnt what a password manager is, the types and best ones available. We went on to discuss extensively their importance in our daily lives online and then we provided answers to a few frequently asked questions.

So if you are not already using a password management solution I encourage you to join the millions of people who are. There is no reason not to, even if it’s just to give it a try.

Until something that can replace the use of passwords is introduced, we are going to be stuck using passwords for authentication for a very long time.

But until then you’re just a hack waiting to happen if you neglect what we’ve discussed here.

Thanks for reading, please consider using one of the social media buttons below to share this post with friends and family who also need this kind of information. I’d really appreciate it.

Did you enjoy this article or feel like you have anything else to add? I’d love to discuss it with you in the comment section below!

Your Questions regarding this topic are also welcome!

About The Author

My name is Ojo Iszy, I am an ethical hacker and cybersecurity expert. I started to learn hacking way back in 2014 completely through self-education. This gave me the opportunity to gain very sound & practical experience in cybersecurity and ethical hacking. Now I focus all of my time and energy teaching the best of what I have learned through the years on this blog, my YouTube channel, and in my online courses (launching soon).

27

Leave a Reply

This comment form is under antispam protection

3Comment threads

5Thread replies

0Followers

Most reacted comment

Hottest comment thread

5Comment authors

Recent comment authors

This comment form is under antispam protection

Subscribe

newestoldestmost voted

Notify of

Guest

The star project

Wow!! This was a long read but very educative!! I have always heard of password managers but I never knew it could save my facebook account from being hacked otherwise I would still have my old facebook account now and the facebook page associated with it. Thank you, I have bookedmarked this page.

Thanks so much for providing individuals with an extremely pleasant chance to read from this website. It is always so beneficial and full of fun for me and my office acquaintances to visit the blog not less than 3 times per week to read the new stuff you have got. And definitely, I am actually pleased with the superb principles you serve. Selected 2 points in this post are particularly the most impressive we have all ever had.

Egypt and Jordan Tours will give you times of fully packed activities on touring on different sites in Egypt and Jordan. One of the best sites that you can now visit is the famous Luxor Temple. Apparently the left-leaning journal has been a lot more swayed by the collectivist notion that you have no individual heroes or titans that drive the world-just influences, movements, and groundswells.

Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically tweet my newest twitter updates. I’ve been looking for a plug-in like this for quite some time and was hoping maybe you would have some experience with something like this. Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new updates.

I don’t even know the way I finished up right here, however I believed this submit used to be great. I do not know who you’re but certainly you are going to a famous blogger if you happen to are not already. Cheers!

I’m not sure where you’re getting your info, but great topic. I needs to spend some time learning much more or understanding more. Thanks for fantastic information I was looking for this info for my mission.